tl;dr Generate a certificate issued by own CA (see the script below) Here’s what I’ve found. Correct me where I’m wrong. There are CA’s (certificate authorities). They issue certificates (sign CSR’s) for other CA’s (intermediate CA’s), or servers (end entity certificates). Some of them are root authorities. They have self-signed certificates, issued by themselves. That … Read more
There’s a common misconception that self-signed certificates are inherently less secure than those sold by commercial CA’s like GoDaddy and Verisign, and that you have to live with browser warnings/exceptions if you use them; this is incorrect. If you securely distribute a self-signed certificate (or CA cert, as bobince suggested) and install it in the … Read more
Is is really true that there is no way around of generating a keystore file and importing the CA certificate? There are way to do it without a keystore file, but since you would have to load the CA certificate you want to trust one way or another, you’ll have to load a file or … Read more
[Update 2016-06-08: According to https://bugs.openjdk.java.net/browse/JDK-8154757 the IdenTrust CA will be included in Oracle Java 8u101.] [Update 2016-08-05: Java 8u101 has been released and does indeed include the IdenTrust CA: release notes] Does Java support Let’s Encrypt certificates? Yes. The Let’s Encrypt certificate is just a regular public key certificate. Java supports it (according to Let’s … Read more
It’s possible that you may have imported the intermediate CA certificate into the keystore without associating it with the entry where you have your client certificate and its private key. You should be able to see this using keytool -v -list -keystore store.jks. If you only get one certificate per alias entry, they’re not together. … Read more
It’s a pretty common problem in Windows. You need just to set cacert.pem to curl.cainfo. Since PHP 5.3.7 you could do: download https://curl.se/ca/cacert.pem and save it somewhere. update php.ini — add curl.cainfo = “PATH_TO/cacert.pem” Otherwise you will need to do the following for every cURL resource: curl_setopt ($ch, CURLOPT_CAINFO, “PATH_TO/cacert.pem”);
The first thing you need to do is to set the level of verification. Such levels is not so much: ALLOW_ALL_HOSTNAME_VERIFIER BROWSER_COMPATIBLE_HOSTNAME_VERIFIER STRICT_HOSTNAME_VERIFIER Although the method setHostnameVerifier() is obsolete for new library apache, but for version in Android SDK is normal. And so we take ALLOW_ALL_HOSTNAME_VERIFIER and set it in the method factory SSLSocketFactory.setHostnameVerifier(). Next, … Read more
1. Using the x509 module openssl x509 … … 2 Using the ca module openssl ca … … You are missing the prelude to those commands. This is a two-step process. First you set up your CA, and then you sign an end entity certificate (a.k.a server or user). Both of the two commands elide … Read more